Thank you very much, Mr. Chair, and thank you for the opportunity to testify today.
Good afternoon, members of the committee. In the few minutes I have, I'd like to go over some of the key findings of CIPPIC's two recent studies, which were mailed to each of you last week. I'll then highlight what we think are PIPEDA's major flaws and suggest ways of correcting them.
For more specifics, I would refer you to our written submission dated November 28, 2006. I understand you have an executive summary and the recommendations from that submission with you today. That submission includes a brief description of CIPPIC and of my background, as well as a detailed list and explanation of our 20 recommendations.
I have been working in the privacy field for about 15 years, primarily as a consumer advocate. Since the early nineties, I have worked closely and productively with the Canadian Marketing Association, the Retail Council of Canada, Canadian Bankers Association, ITAC, telecom companies, and other business interests on various privacy-related matters, including the code that forms the basis of PIPEDA.
Since starting up CIPPIC in 2003, I have focused on making privacy laws work by researching marketplace practices, exposing questionable practices, and holding organizations accountable. I've been a staunch advocate of PIPEDA since its conception, and I continue to be a strong supporter of the act.
However, with almost six years of experience with this legislation under our belts, it's become clear that there are a number of gaps and flaws in the regime. I'd like first about what we found when we researched the Canadian data brokerage industry. We found many instances of consumer lists for sale or rent where the likelihood that those consumers had truly consented to the subsequent trading of their names and contact information was highly questionable. For example, one list we found has information about individual and household lifestyles, hobbies, and demographics on almost 900,000 Canadian. The information for this list comes from product registration cards filled out by consumers. Another list has age, gender, home address, and telephone numbers of almost 50,000 frequent travellers in Canada. The information for this was obtained from corporate client databases of airline ticketing offices and travel agencies.
Another list has the gender, monthly income, home and business address of almost 13,000 Canadians with gold cards. This information came from payment processing companies. We found numerous lists offering detailed health information about Canadians who had provided this information on websites or in response to surveys. I could go on and on. This is just a very small selection of the information we found. The point is, there's a vibrant industry in the compilation and trading of these lists for direct marketing and potentially other purposes, and it's not at all clear that the individuals on these lists have consented to such use of their information.
The second study we did is called Compliance with Canadian Data Protection Laws. This was conceived and designed for the very purpose of this review. We tested the compliance of 64 online retailers with three of PIPEDA's most basic requirements, those being openness, accountability, and consent. Our sample included large and small companies and covered nine different types of business, from magazine publishers to general retailers. We also tested the compliance of a separate sample of 72 companies with PIPEDA's requirement for individual access.
The results were sobering. In brief, we found widespread non-compliance with the act. Over half of the 64 companies we contacted by phone could not provide contact information for the person in the company responsible for privacy. Two-thirds refused to provide their privacy policy by any means other than their website. Looking a privacy policies, 70% were incomplete in some important respect, 22% were unclear about why they collect the information, 30% were unclear about how they use the information, and 45% were unclear about to whom they disclose the information.
A third of companies we tested don't bother to get consent during the online ordering process. Most companies rely on their privacy policies to get consent. But over half failed to bring the policy to the attention of shoppers, and 60% buried the opt-out consent inconspicuously in their policy.
We found a disturbing number of misleading representations in the policies or on the websites suggesting, for example, that the company would not share your information without consent, but then deep down in the policy it stated that your consent was being assumed. Somewhere between 11% and 39% of our sample required consumers to agree to unnecessary uses and disclosures in order to transact. We couldn't be sure of the number because the policies were unclear.
On individual access--that's the right of someone to access their own personal information held by the company--over a third of the companies to which we sent requests failed to respond at all. Of those that did respond, most failed to answer all three questions we asked. Only 21% fully complied with PIPEDA's requirement to answer these questions.
Our compliance study was conducted in early 2006, five years after PIPEDA came into force. Surely, five years is an ample grace period for companies to get compliant with these pretty basic obligations. So why such a high rate of non-compliance? I think there are two reasons. First and foremost, there's no real incentive for companies to comply with PIPEDA. Second, the act's provisions on notice and consent are unclear.
Something needs to change in the enforcement of this legislation. Companies have to believe that they risk significant reputational or financial damage if they don't comply. That's simply not the case now. Even reckless and wilful violators get away with, at most, a private admonishment from the Privacy Commissioner. We've made a number of recommendations to rectify this situation, most of which do not require any major change to the enforcement regime. Although we think that the commissioner should have order-making powers, there are a number of other amendments that could collectively create the kinds of incentives that industry needs. I refer you specifically to recommendations 3 to 11 in our written submission.
Another possible reason for some of the non-compliance we found is that certain of the act's obligations are unclear. Notice and consent requirements, in particular, are poorly drafted. Now, I take some responsibility for that. I was on the CSA committee, but the CSA code was drafted as a voluntary code, not as legislation. I think I can safely say that no one on the committee ever expected that it would become law as drafted. Alberta and British Columbia have done a much better job of articulating the obligations that PIPEDA meant to convey. We therefore recommend a redrafting of PIPEDA's consent provisions along the lines of the Alberta legislation.
Our study also exposed strange gaps in the act that limit its effectiveness. For example, there's no clear requirement to advise people as to how their information will be used. That's just implicit in the consent requirement. Second, there's no requirement for organizations to disclose the source from which they got your information if you ask them. And there are no special limitations regarding the collection of information from children, whose credulity and ignorance can easily be exploited by commercial interests.
We've provided you with recommendations addressing all these gaps and drafting issues. I don't have time to cover the rest of our recommendations, but let me briefly mention data breach notification.
Over the past year, CIPPIC has been leading a multi-researcher project on identity theft, funded in part by the banks. Identity theft strikes relatively few unlucky individuals, but when it strikes, it can be devastating, and its incidence seems to be growing. There's nothing in PIPEDA that requires organizations to inform affected individuals of security breaches that make them vulnerable to identity theft, and there's little market incentive for organizations to expose their faults voluntarily. We think there should be a legislative requirement for organizations to notify individuals when their data is exposed to potential abuse. We've been researching the existing Canadian law on data breach notification, the various approaches being taken in the United States to this issue, and the arguments for and against. We will be publishing a white paper on the issue with detailed recommendations before Christmas, and I would be happy to share that with you.
Thank you very much for your time. I'd be pleased to answer any questions.